is claimed is: 

A method for conducting authenticated business transactions involving 
microprocessor equipped devices over a distributed network, the method 
comprising the acts of: 

a) providing an on-line authentication service available on the distributed 
network; 

b) authenticating a plurality of users to said on-line authentication service 
using a closed authentication system to produce a plurality of authenticated 
users; and 

c) connecting a group of at least two of said plurality of authenticated users 
imder persistent mediation of said on-line authentication service, producing 
a connected group. 

The method of claim 1 further comprising enrolling said users to said on-line 
authentication service prior to authenticating said users to said on-line 
authentication service. 

The method of claim 2 wherein persistent mediation of said connected group 
comprises compiling an audit trail of an interaction of said connected group. 

The method of claim 3 wherein said closed authentication system is a pseudo-PKI 
system of the type which cryptographically camouflages a user's private key in a 
software container. 

The method of claim 4 wherein the on-line service is a persistent authentication 
and mediation service. 
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A method for conducting authenticated business transactions involving 
microprocessor equipped devices over a distributed network, the method 
comprising the acts of: 

a) providing an on-line authentication service available on the distributed 
network; 

b) authenticating a plurality of users to said on-line authentication service 
using a closed PKI authentication system to produce a plurality of 
authenticated users; and 

c) connecting a group of at least two of said plurality of authenticated users 
under persistent mediation of said on-line authentication service, producing 
a connected group. 

The method of claim 6 further comprising enrolling said users to said on-line 
authentication service prior to authenticating said users to said on-line 
authentication service. 

The method of claim 7 wherein persistent mediation of said connected group 
comprises compiling an audit trail of an interaction of said connected group. 



The method of claim 7 wherein said closed PKI authentication system is a pseudo- 
PKI system of the type which cryptographically camouflages a user's private key in 
a software container. 

The method of claim 9 wherein the on-line service is a persistent authentication 
and mediation service. 
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A method for conducting authenticated business transactions involving 
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microprocessor equipped devices over a distributed network, the method 
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comprising the acts of: 
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a) 


providing a persistent authentication and mediation service as an on-line 
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service on the distributed netv^ork; 
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b) 


enrolling users seeking enrollment in the persistent authentication and 
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mediation service, to produce a plurality of enrolled users; 


Q 
O 


c) 


receiving requests from enrolled users for authentication to the persistent 
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authentication and mediation service; 
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d) 


authenticating enrolled users seeking authentication to the persistent 
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authentication and mediation service using a closed PKI authentication 
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system, so as to maintain a plurality of authenticated users; 
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e) 


receiving requests from authenticated users to be connected to particular 






other authenticated users; 




f) 


connecting groups of at least two authenticated users under persistent 
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mediation of the persistent authentication and mediation service so that the 
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at least two authenticated users can conduct an interaction; 
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g) 


repeating act (f) to produce a plurality of groups of connected users; and 
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h) 


mediating the interaction among the at least two users of each of said 






plurality of groups of connected users after connection, wherein the act of 
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mediating the interaction comprises the acts of providing authenticated 
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identity information to the interaction, directly compiling an audit trail of 
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the interaction and making information from the audit trail available to the 
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at least two users of each group of connected users. 
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The method of claim 1 1 wherein the act of enrolling users seeking enrollment in 


2 


the persistent authentication and mediation service comprises the acts of: 


3 


a) 


distributing software to a user seeking enrollment which enables 


4 




microprocessor equipped devices operated by the user seeking enrollment 


5 




to interact with said persistent authentication and mediation service, 



6 b) generating a unique private key, and a unique public key for the user 

7 seeking enrollment, 

8 c) obtaining permanent credentials particular to each of the user seeking 

9 enrollment, said credentials comprising public permanent credentials and 

10 secret permanent credentials, 

1 1 d) deciding whether to approve the applicant seeking enrollment; 

12 e) distributing the unique public key and the unique private key to the user 

1 3 seeking enrollment if the user seeking enrollment is approved, and 

14 f) storing said permanent credentials in a customer database, said customer 

15 database being accessible to said persistent authentication and mediation 

16 service, whereby the user seeking enrollment becomes one of said 

1 7 multiplicity of enrolled users, and 

1 8 g) repeating steps (a) through (f) for each applicant seeking enrollment. 

1 13. The method of claim 12 wherein the act of authenticating enrolled users seeking 

2 authentication to the common authenticating service comprises the acts of: 

3 a) generating a challenge message from the persistent authentication and 

4 mediation service and sending it over the public network to an enroDed 

5 user seeking authentication, 

6 b) receiving a response to the challenge from the user seeking authentication, 

7 said response comprising an encrypted message and the unique public key 

8 xmique to the enrolled user seeking authentication, 

9 c) verifying the authenticity of the response to the challenge, the act of 

10 verifying the authenticity comprising the act of decrypting the response 

1 1 using the public key unique to the enrolled user seeking authentication to 

1 2 produce a decrypted response, 

1 3 d) authenticating the enrolled user seeking authentication if the decrypted 

14 response indicates that the response was authentic, whereby the enrolled 

15 user seeking authentication becomes an authenticated user, 
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1 6 e) rejecting the user if the decrypted response indicates that the response was 

17 not authentic, and 

1 8 f) repeating steps (a) through (e) for each enrolled user seeking 

19 authentication. 

1 14. The method of claim 13 fiirther comprising the acts of 

2 a) allowing authenticated users to optionally submit variable credentials; 

3 b) receiving variable credentials submitted by authenticated users; 

4 c) storing the variable credentials in the customer database according to user; 

5 d) providing authenticated users discovery software, whereby authenticated 

6 users may dynamically discover enrolled users according to search criteria. 

7 e) granting authenticated users access to search the public permanent 

8 credentials and the variable credentials in the customer database, using said 

9 discovery software. 

1 15. The method of claim 14 fiirther comprising making available collaboration 

2 software to each of said plurality of groups of connected users is to facilitate 

3 communication among the at least two authenticated users of each group, wherein 

4 said collaboration software makes information fi"om the audit trail available to each 

5 of said at least two authenticated users of each of said plurality of groups of 

6 connected users. 
1 

2 16. The method of claim 1 5 wherein: 

3 a) the software PKI authentication system is a pseudo-PKI system of the type 

4 which cryptographicaUy camouflages the unique private keys in a software 

5 container, 

6 b) wherein the imique public keys is encrypted in a form recognizable to the 

7 common authentication agent and stored in a digital certificate, 

8 c) wherein the act of authenticating an enrolled user to the common 

9 authenticating service fiirther comprises the act of decrypting the encrypted 
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unique public key unique to the enrolled user prior to decrypting the 
response. 



The method of claim 16 wherein the persistent authentication and mediation 
service is provided by at least one host site connected to the distributed network, 
said at least one host site comprising at least one computer server operated by an 
open software platform providing inteUigent interactions, wherein the operation 
the persistent authentication and mediation service is implemented by software 
operating on the open software platform. 

The method of claim 1 7 wherein interactions between users and the persistent 
authentication and mediation service are mediated through the open software 
platform. 

The method of claim 18 wherein some of the pluraUty of groups of connected 
users comprise at least three authenticated users. 

The method of claim 19 wherein some of the plurality of groups of at least three 
connected users comprise users of different types. 

The method of claim 18 wherein the distributed network is the public Internet. 

An online service for conducting business transactions among microprocessor 
equipped devices over a distributed network, the online service comprising: 

a) a host site connected to the network, the host site comprising an open 
software platform providing intelligent interactions; 

b) a persistent authentication and mediation service, the persistent 
authentication and mediation service comprising a software PKI 
authentication agent operating on said open software platform such that 
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9 communications over the network by said persistent authentication and 

10 mediation service are mediated by said open software platform; 

11 c) a customer database comprising permanent credentials and dynamically 

12 variable information corresponding to users of the online service and a 

1 3 database manager for managing the customer database; 

14 d) software operating on said open software platform which performs at least 

1 5 the following fimctions: 

1 6 i) enrolling users seeking enrollment in the persistent authentication 

1 7 and mediation service to produce enrolled users, 

18 ii) storing credentials corresponding to enrolled users in the customer 

19 database, 

20 iii) authenticating enrolled users seeking authentication to the 

21 persistent authentication and mediation service to produce 

22 authenticated users, 

23 iv) allowing a authenticated users to discover enrolled users according 

24 to search criteria, 

25 v) allowing authenticated users to be connected under mediation of 

26 the persistent authentication and mediation service through the 

27 open software platform, 

28 vi) allowing collaboration between authenticated users which have 

29 been connected, and 

30 vii) memorializing transactions between authenticated users. 

1 23. The online service defined in claim 22 where the fimction of enrolling users 

2 seeking enrollment in the persistent authentication and mediation service comprises 

3 the fimctions of: 

4 a) distributing software to a user seeking enrollment which enables 

5 microprocessor equipped devices operated by the user seeking enrollment 

6 to interact v^th the persistent authentication and mediation service, 
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7 b) generating a unique private key, and a unique public key for the user 

8 seeking enrollment, 

9 c) obtaining permanent credentials particular to each of the user seeking 

10 enrollment, said credentials comprising public permanent credentials and 

1 1 secret permanent credentials, 

12 d) deciding whether to approve the applicant seeking enrollment; 

13 e) distributing the unique public key and the unique private key to the user 

14 seeking enrollment if the user seeking enrollment is approved, and 

1 5 f) storing said permanent credentials in a customer database, said customer 

16 database being accessible to said persistent authentication and mediation 

17 service, whereby the user seeking enrollment becomes one of said 

1 8 multiplicity of enrolled users, and 

19 g) repeating steps (a) through (f) for each applicant seeking enrollment. 

1 24. The online service defined in claim 23 wherein the function of authenticating 

2 enrolled users seeking authentication to the persistent authentication and mediation 

3 service comprises the functions of: 

4 a) generating a challenge message from the persistent authentication and 

5 mediation service and sending it over the public network to an enrolled 

6 user seeking authentication, 

7 b) receiving a response to the challenge from the user seeking authentication, 

8 said response comprising an encrypted message and the imique public key 

9 unique to the enrolled user seeking authentication, 

1 0 c) verifying the authenticity of the response to the challenge, the act of 

1 1 verifying the authenticity comprising the act of decrypting the response 

12 using the public key unique to the enrolled user seeking authentication to 

1 3 produce a decrypted response, 

14 d) authenticating the enrolled user seeking authentication if the decrypted 

1 5 response indicates that the response was authentic, whereby the enrolled 

16 user seeking authentication becomes an authenticated user, 
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e) rejecting the user if the decrypted response indicates that the response was 
not authentic, and 

f) repeating steps (a) through (e) for each enrolled user seeking 
authentication. 

The online service defined in claim 24 wherein: 

a) the software PKI authentication agent is a pseudo-PKI system of the type 
which cryptographically camouflages each of the unique private keys in a 
software container, 

b) wherein each of the unique public keys is encrypted in a form recognizable 
to the common authentication agent and stored in a digital certificate, 

c) wherein the fimction of authenticating an enrolled user to the common 
authenticating service fiirther comprises the fimction of decrypting the 
encrypted unique public key imique to the enrolled user prior to decrypting 
the response. 

The online service defined in claim 25 wherein the distributed network is the public 
Intemet. 

A system for conducting business transactions over a distributed network, the 
system comprising: 

a) a persistent authentication and mediation service site providing a persistent 
authentication and mediation service, said site connected to the public 
network, said site comprising 

i) a open software platform application providing intelligent 
interactions said platform application mediating all interactions of 
said persistent authentication and mediation service site via said 
public network, 

ii) anauthentication agent application comprising a software pseudo- 
PKI authentication application operating on said open software 
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12 platform application, said common authentication agent application 

13 comprising software which enrolls new businesses users producing 

14 enrolled users and authenticates the enrolled users, 

15 iii) an audit agent application operating on said open software platform 

16 which logs and monitors interactions mediated by the open 

17 software platform, 

18 iv) a discovery software application operating on said open software 

19 platform, and 

20 v) a collaboration software application operating on said open 

21 software; 

22 b) a multiplicity of user sites operated by the enrolled users, the user sites 

23 being connected to the public network, each site operating at least one 

24 computer application whereby it may interact with other business users and 

25 each site fiuther comprising software which allows interaction with the 

26 persistent authentication and mediation service, a software camouflaged 

27 private key, and a digital certificate, said digital certificate comprising an 

28 encrypted pseudo-public key recognizable to said persistent authentication 

29 and mediation service; 

30 c) a database of authentication information pertaining to the enroUed business 

3 1 users of said persistent authentication and mediation service, the database 

32 accessible to the common authentication application. 

1 28. The system defined in claim 27 fiirther comprising a plurality of authentication 

2 provider applications accessible by the authentication agent application. 

1 29. The system defined in claim 28 wherein at least one authentication provider 

2 application is located at a different site than the persistent authentication and 

3 mediation service site. 
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The system defined in claim 28 fijrther comprising a plurality of audit provider 
applications accessible by the audit agent application. 

The system defined in claim 29 wherein at least one authentication application 
provider is located at a different site than the persistent authentication and 
mediation service site. 

The system defined in claim 29 wherein the network is the public Internet. 

The system defined in claim 3 1 wherein the network is the public Internet. 

The system defined in claim 33, wherein the user sites comprise sites which are 
chosen fi*om the group consisting of user sites which access the network via a 
browser operating on a computer, mobile telephonic devices which access the 
network, world wide web sites, and sites comprising applications without a user 
interface. 

An apparatus for providing a service for conducting authenticated business 
transactions involving a multiplicity of users over a distributed network, the 
apparatus comprising: 

a) at least one application server connected to the public network, the at least 
one application server having a computer processor and a computer 
readable memory, the memory storing the software to implement the 
service, the software comprising 

i) an open software platform providing intelligent interactions, 

ii) a software pseudo-PKI authentication agent application, operating 
on said open software platform, 

iii) a discovery software application, operating on said open software 
platform, and 
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13 iv) a collaboration software application, operating on said open 

14 software platform,; 

15 b) at least one database server, the at least one database server comprising a 

16 business users database, the business users database comprising 

1 7 i) authenticated data about registered business users, said 

1 8 authenticated data being protected from user modification; 

1 9 ii) data pertaining to registered business users which is dynamically 

20 modifiable by said business users; and 

2 1 iii) data needed for linking business users; 

22 whereby the application server facilitates authenticated interactions 

23 between business users, including the ability to access other authenticated 

24 users v^thout repeated logging in, the ability to dynamically search for 

25 authenticated users according to user defined specifications, and 

26 accomplish peer to peer collaboration. 

1 36. An apparatus as defined in claim 35 where the distributed network is the Internet. 
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